Archive for August 14th, 2008

Analyze-Packet Reloaded

Scripting August 14th, 2008

Jeffrey Hicks responded to my comments about his Analyze-Packet PowerShell script and took them as a challenge.  Well, he rose to the challenge and sent me a copy of his re-worked scripts and asked for my opinion (he’s the scripting guru, not me, but hey, I’m always willing to shoot my mouth off).

I really liked the way he modified Analyze-Packet to output an analysis object; but, since he asked for my opinion, I thought I would go through it and see what I might do differently.  The biggest thing that jumped out at me was that there were two sections of nearly identical code for name resolution, which begged to be pulled out into a function.  The only other suggestion I had was adding a switch parameter to turn off the name resolution, which can slow down the processing of the script on a large packet capture, where I’ve run into problems before.  (Actually, I had the switch parameter to turn on name resolution, but in the final product, Jeff changed it to be the reverse.  Good call.)  When I’m using other products (read Wireshark), I turn off name resolution as it removes some of the overhead and the distraction of names.

Nice work Jeff.. Check out his blog post here, as he discusses some of the changes that were needed to get both Get-Packet and Analyze-Packet to this point, as well as having the scripts available for download.